What is ITAR Compliance? Definition and Regulations

Learn more about ITAR compliance, requirements, and penalties. Find the definition, detail of regulations, types of defense articles, and more from Varonis.
Michael Buckbee
4 min read
Last updated June 9, 2023

The International Traffic in Arms Regulations (ITAR) is the United States regulation that controls the manufacture, sale, and distribution of defense and space-related articles and services as defined in the United States Munitions List (USML).

In this article, we'll cover: 

Besides rocket launchers, torpedoes, and other military hardware, the list also restricts the plans, diagrams, photos, and other documentation used to build ITAR-controlled military gear. This is referred to by ITAR as “technical data”.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

ITAR mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only. How can a company ensure that only US citizens have and then access that data on a network and are ITAR compliant? Limiting access to the physical materials is straightforward; limiting access to digital data is more complicated.

Who Needs To Follow ITAR Compliance?

who needs to be ITAR compliant?

Any company that handles, manufactures, designs, sells, or distributes items on the USML must be ITAR compliant. The State Department’s Directorate of Defense Trade Controls (DDTC) manages the list of companies who can deal in USML goods and services, and it is up to each company to establish policies to comply with ITAR regulations.

  • Wholesalers
  • Distributors
  • Computer Software/ Hardware vendors
  • Third-party suppliers
  • Contractors

Every company in the supply chain needs to be ITAR compliant. If company A sells a part to company B and then company B sells the same part to a foreign power, company A is also in violation of ITAR.

ITAR Regulations

ITAR regulations are simple: only U.S. citizens can access items on the USML list.

ITAR’s rules can present a challenge for many US companies. A US-based company with overseas operations is prohibited from sharing ITAR technical data with employees locally hired, unless they gain State Dept. authorization. The same principle applies when US companies work with non-US subcontractors.

The State Department can issue exemptions to that one rule, and there are existing exemptions established for specific purposes. There are certain countries that currently have standing agreements with the U.S. that apply to ITAR – Australia, Canada, and the U.K., for example.

The US government requires having in place and implementing a documented ITAR compliance program, which should include tracking, monitoring and auditing of technical data. With technical data, it’s also a good idea to tag each page with an ITAR notice or marker so employees don’t accidentally share controlled information with unauthorized users.

ITAR exists to track military and defense sensitive material and to keep that material out of the hands of U.S. enemies. Noncompliance can result in heavy fines along with significant brand and reputation damage — not to mention the potential loss of business to a compliant competitor.

Penalties for ITAR Compliance Violations

Penalties for ITAR Compliance Violations
The penalties for ITAR infractions are stiff:

  • Civil fines up to $500,000 per violation
  • Criminal fines of up to $1 million and/or 10 years imprisonment per violation

In April of 2018, the State Department fined FLIR Systems, Inc $30 million in civil penalties for transferring USML data to dual national employees. Part of the penalty requires that FLIR implement better compliance measures and hire an outside official to oversee their agreement with the State Department.

In 2007 ITT took at $100 million fine to the face for exporting night-vision technology illegally. ITT thought they could workaround the restrictions, the Government didn’t agree with their interpretation of the rules.

Types of Defense Articles

There are 21 categories of Defense Articles in the USML. A defense article is anything on this long and oddly specific list.

    1. Firearms, Close Assault Weapons and Combat Shotguns
    2. Guns and Armament
    3. Ammunition/Ordnance
    4. Launch Vehicles, Guided Missiles, Ballistic Missiles, Rockets, Torpedoes, Bombs and Mines
    5. Explosives and Energetic Materials, Propellants, Incendiary Agents and Their Constituents
    6. Surface Vessels of War and Special Naval Equipment
    7. Ground Vehicles
    8. Aircraft and Related Articles
    9. Military Training Equipment and Training
    10. Personal Protective Equipment
    11. Military Electronics
    12. Fire Control, Laser, Imaging and Guidance Equipment
    13. Materials and Miscellaneous Articles
    14. Toxicological Agents, Including Chemical Agents, Biological Agents and Associated Equipment
    15. Spacecraft and Related Articles
    16. Nuclear Weapons Related Articles
    17. Classified Articles, Technical Data and Defense Services Not Otherwise Enumerated
    18. Directed Energy Weapons
    19. Gas Turbine Engines and Associated Equipment
    20. Submersible Vessels and Related Articles
    21. Articles, Technical Data and Defense Services Not Otherwise Enumerated

How to Secure Your ITAR Data

Given the penalties associated with ITAR, it makes sense to protect the digital data with as many layers of security as possible. Because ITAR is a U.S. Federal regulation, their own guidance for data security is a great place to start. NIST SP 800-53 defines the standards and guidelines federal agencies must follow, and any company that manages ITAR regulated materials should use NIST SP 800-53 as a baseline for their own security standards.. Follow these basic principles to secure your ITAR data:

  • Discover and Classify Sensitive Data
    Locate and secure all sensitive data
    Classify data based on business policy
  • Map Data and Permissions
    Identify users, groups, folder and file permissions
    Determine who has access to what data
  • Manage Access Control
    Identify and deactivate stale users
    Manage user and group memberships
    Remove Global Access Groups
    Implement a least privilege model
  • Monitor Data, File Activity, and User Behavior
    Audit and report on file and event activity
    Monitor for insider threats, malware, misconfigurations and security breaches
    Detect security vulnerabilities and remediate

ITAR Compliance FAQs

  1. How can Varonis help me find all of my ITAR data?
    The Data Classification Engine identifies and classifies regulated data on your core data stores – both on-premise and in the cloud. You can configure rules to identify ITAR data and even apply custom tags, flags, and notes to regulated data.
  2. Who can access this ITAR data?
    Varonis DatAdvantage crawls your file systems to analyze permissions to all of your data, including the ITAR data. Understanding who can access this data is step one to protecting the data from illegal access. With DatAdvantage, you can see this information graphically in a clean, user-friendly UI, or as an exportable report.
  3. How will I know if my ITAR data is accessed?
    Varonis DatAlert monitors and trigger alerts when data is accessed, including a folder of your ITAR data. You can detect, flag, and investigate any suspicious behavior or unusual activity on your ITAR data, and maintain a complete audit trail to help meet ITAR regulations.
  4. How can I manage access to ITAR data?
    The Automation Engine automatically repairs and maintains file system permissions – keeping ITAR data locked down, and helping achieve a least privilege model. Varonis DataPrivilege helps streamline data access governance, automatically enforce security policies, and demonstrate compliance to government auditors.

Want to learn more about how to manage your ITAR data to meet compliance? Get a 1:1 demo with a security engineer to see how Varonis can help.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

how-varonis-helps-with-itar-compliance
How Varonis Helps With ITAR Compliance
International Traffic in Arms Regulations (ITAR) mandates that access to physical materials or technical data related to defense and military technologies is restricted to US citizens only. According to the US...
the-mitre-att&ck-framework:-a-comprehensive-guide
The MITRE ATT&CK Framework: A Comprehensive Guide
The MITRE ATT&CK framework helps businesses discover which hacker techniques, tactics, and behaviors they're most vulnerable to. Read about how to use ATT&CK for penetration testing within your organization today.
introducing-varonis-uba-threat-models
Introducing Varonis UBA Threat Models
If you’re a regular reader of our blog, you know that we feel that the perimeter is dead, and that the battle against insider (and outsider) threats is won with...
cloudbleed---cloudflare-unauthorized-data-leak
Cloudbleed - Cloudflare Unauthorized Data Leak
Cloudflare is a huge internet infrastructure company (5.5 million websites), which means that you likely use them every day that you’re online, without ever realizing it. Depending on what metric...